IEC 63208-ed.1.0

Annotation of standard text IEC 63208-ed.1.0 :

IEC 63208:2025 This document applies to the main functions of switchgear and controlgear and their assemblies, called equipment, in the context of operational technology (OT 3.1.34). It is applicable to equipment with wired or wireless data communication means and their physical accessibility, within their limits of environmental conditions. It is intended to achieve the appropriate physical and cybersecurity mitigation against vulnerabilities to security threats. This document provides requirements on the appropriate: – security risk assessment to be developed including the attack levels, the typical threats, the impact assessment and the relationship with safety; – levels of exposure of the communication interface and the determination of the equipment security level; – assessment of the exposure level of the communication interfaces; – assignment of the required security measures for the equipment; – countermeasures for the physical access and the environment derived from ISO/IEC 27001; – countermeasures referring to IEC 62443-4-2 with their criteria of applicability; – user instructions for installation, operation and maintenance; – conformance verification and testing, and – security protection profiles by family of equipment (Annex E to Annex I). In particular, it focuses on potential vulnerabilities to threats resulting in: – unintended operation, which can lead to hazardous situations; – unavailability of the protective functions (overcurrent, earth fault, etc.); – other degradation of main function. It also provides guidance on the cybersecurity management with the: – roles and responsibilities (Table 4); – typical architectures (Annex A); – use cases (Annex B); – development methods (Annex C); – recommendations to be provided to users and for integration into an assembly (Annex D); – bridging references to cybersecurity management systems (Annex K). This document does not cover security requirements for: – information technology (IT); – industrial automation and control systems (IACS), engineering workstations and their software applications; – critical infrastructure or energy management systems; – network device (communication network switch or virtual private network terminator), or – data confidentiality other than for critical security parameters; – design lifecycle management. For this aspect, see IEC 62443-4-1, ISO/IEC 27001 or other security lifecycle management standards. IEC 63208:2025 Le present document sapplique aux fonctions principales des appareillages et ensembles dappareillages, appeles equipements, dans le contexte de la technologie dexploitation (OT, 3.1.34). Il sapplique aux equipements equipes de moyens de communication de donnees filaires ou sans fil, ainsi qua leur accessibilite physique, dans les limites de leurs conditions denvironnement. Il a pour objet dassurer lattenuation appropriee de la securite physique et de la cybersecurite contre les vulnerabilites aux menaces a la securite. Le present document fournit des exigences sur les aspects appropries suivants: – lappreciation du risque pour la securite a elaborer, y compris les niveaux dattaque, les menaces types, lappreciation de limpact et la relation a la securite humaine; – les niveaux dexposition de linterface de communication et la determination du niveau de securite de lequipement; – levaluation du niveau dexposition des interfaces de communication; – lattribution des mesures de securite exigees pour lequipement; – les contre-mesures pour lacces physique et lenvironnement selon lISO/IEC 27001; – les contre-mesures en reference a lIEC 62443-4-2, avec leurs criteres dapplicabilite; – les instructions pour lutilisateur concernant linstallation, le fonctionnement et la maintenance; – la verification et les essais de conformite; et – les profils de protection de la securite par famille dequipements (de lAnnexe E a lAnnexe I). En particulier, il met laccent sur les vulnerabilites potentielles aux menaces entrainant: – un fonctionnement non souhaitable, qui peut conduire a des situations dangereuses; – une indisponibilite des fonctions de protection (surintensite, defaut de terre, etc.); – toute autre degradation de la fonction principale. Il fournit egalement des recommandations concernant le management de la cybersecurite, avec: – les roles et responsabilites (Tableau 4); – les architectures types (Annexe A); – les cas dutilisation (Annexe B); – les methodes de developpement (Annexe C); – les recommandations a fournir aux utilisateurs et a integrer a un ensemble (Annexe D); – letablissement de references aux systemes de management de la cybersecurite (Annexe K). Le present document ne fournit aucune exigence de securite en ce qui concerne: – les technologies de linformation (TI); – les systemes dautomatisation et de commande industrielles (IACS, Industrial Automation And Control Systems), les postes de travail dingenierie et leurs applications logicielles; – les systemes de management des infrastructures essentielles ou de lenergie; – les dispositifs de reseau (commutateur de reseau de communication ou terminaison de reseau prive virtuel); ou – la confidentialite des donnees autre que pour les parametres de securite critiques; – la gestion du cycle de vie de la conception. Pour cet aspect, voir lIEC 62443-4-1, lISO/IEC 27001 ou dautres normes de gestion du cycle de vie de la securite.